What is a Risk Assessment?
A risk assessment can help identify critical events that could impact your organization, some of which you may not have taken into consideration. This includes the amount of time needed to recover and restore operations and assessing the likelihood of that event happening, and the severity of the event. If your business doesn't have a Business Continuity Plan for disaster recovery, you can download our template here.
Types of Threats:
Man-made Threats – are just those, threats that are made by humans. Man-made threats comprise those situations/events, which are caused by intentional harm or injury to employees, disruption of services, or destruction of property.
Natural Threats – Natural threats, to put it simply, occur in nature. Natural threats comprise those situations/events, which occur in nature with no assistance from humans. While natural threats are predictable within certain limits using technology, they continue to dictate the geographic locations in which business operates, and where and how facilities are constructed.
Technological Threats – Technological threats include items such as chemical releases, radioactive contamination, transportation accidents or the failure of technology in general. This category involves man-made mechanisms or systems that, when not properly controlled or functioning, have a negative impact on the surrounding environment. Technological disasters may be started intentionally, by accident, or as a result of some natural event.
The Risk Assessment/Business Impact Analysis Considers:
- The source of the disruption;
- The type of disruption;
- The probability of its occurrence;
- The initial impact on the organization;
- The potential for expanding in severity over time and the associated impacts;
- The estimated length of time the business may be disrupted.
Conducting a Impact Analysis:
Rather than attempting to determine exact probabilities of each potential threat, a general rating system of high, medium and low was used to identify threats with the highest probability.
The risk assessment was also used to determine the impact of each type of potential threat on company personnel, building, and functions if the particular threat occurred. The impact levels are:
0 = No impact or disruption in operations.
1 = Some impact, but resumption could be accomplished within 8 hours.
2 = Damage to facilities and equipment occurred, but resumption could be completed within 24 hours.
3 = Major damage to facilities and equipment indicates operations will be impacted for over 48 hours. Business operations must move to an alternate site(s).
Summary of Results:
After conducting the Impact Analysis you can quickly determine what threats pose the greatest risk to ongoing operations.
For Example: "Company Name" threats included snow/ice storm, systems, and communications malfunction. Secondary potential threats included a variety of man-made, natural and technological events.
Don't Forget: Test, Test, Test
Testing your Business Continuity Plan is critical. Plan and peform a "Walk-Through Test." During the test you may find suggestions or observations for enhancing the plan.